Transcription

1 Why HIPAA Compliance Should Scare You and What You Should Ask Your Business Phone Service Provider NOW By Mike McAlpen, 8x8 Executive Director of Privacy, Security and Compliance The Champion For Business Communications

2 Contents The US government really does care that your phones comply... 3 Your business is responsible for reading the fine print... 4 How far will 8x8 go for your security?... 5 Why choose a compliant cloud-based VoIP solution?... 5 Get it in writing... 5 BAAs: An important compliance feature... 6 Failure to comply is not an option... 6 Peace of mind

3 Why You Should Ask Your Business Phone Service Provider about HIPAA Compliance What is HIPAA, how does it relate to business phone systems, and why should you care? Federal regulations have changed, and your compliance burden might have increased without your knowledge. The Health Insurance Portability and Accountability Act (HIPAA) provides federal protections for Personal Health Information (PHI). As of January 2013, HIPAA covers not only the traditional covered entities such as medical providers and payers, but any of the entire chain of third parties that create, receive, maintain or transmit PHI, also known as business associates. In other words, the scope of the regulations are broader and now cover many more people and businesses than before. The law requires all of these entities to safeguard the confidentiality, integrity and availability of this private information through a variety of means, such as encrypting patient record PHI or insurance information stored or transmitted by computers. HIPAA compliance used to be something that mostly affected healthcare and directly related businesses. Now, any company that creates, receives, maintains or transmits PHI which is turning out to be the majority of US companies must comply. This includes business phone service providers, including VoIP services. Clinical Health (HITECH) Act expanded their regulatory scope and added more random audits, as well as stiffer penalties for noncompliance. The US government really does care that your phones comply This brings us back to the question: As a user of business phone service, why should you care? After all, there has not been a great deal of discussion about HIPAA compliance and business communication systems in mainstream venues. Many of those who are now at risk from these new HIPAA regulatory requirements may not be aware that they are now considered a business associate under these new expanded HIPAA regulations. But when it comes to phone systems, a lack of awareness about the need for compliance will not get you off the hook, as this is a law. If you are a covered entity or one of the thousands of new business associates, and your business communications system is not compliant with these latest HIPAA requirements, your business may be at risk. If your business is involved in an investigation, there could be significant financial penalties and/or federal litigation for not meeting HIPAA privacy requirements. Enforcement is also being stepped up. In January 2013, the latest Omnibus Final Rulings update to HIPAA and the Health Information Technology for Economic and 3

4 Unfortunately, many of those who are now violating these regulatory requirements may not even be aware that they fall under these newly expanded HIPAA regulations. Mike McAlpen Executive Director of Security and Compliance at 8x8 Even less well known is the fact that these new HIPAA business associates could face regulatory problems due to the compliance violations of companies they do business with. It is now up to covered businesses to negotiate a HIPAA Business Associate Agreement with any of their third parties that create, receive, maintain or transmit PHI on their behalf. To be compliant, all organizations covered under HIPAA must have HIPAA Business Associate agreements in place with all of their partners that handle PHI on their behalf, ensuring that these partners are legally obligated to maintain compliant levels of PHI data confidentiality, integrity and availability. Your business is responsible for reading the fine print If you own your telephone switching equipment like most users of on-premises PBXs you re responsible for making sure the service is compliant and protects any stored information. But if you subscribe to telecommunications services, then you must ensure that your service provider is not only a HIPAAcompliant business associate, but that all of your provider s covered third parties are fully HIPAA compliant and have signed Business Associate Agreements with the communications service provider. And communications services are decidedly not created equal. Some well-known communications solution providers are, in fact, not at all HIPAA compliant, let alone compliant with the latest HIPAA HITECH Omnibus regulations. This is particularly true with cloud VoIP providers. Many have admitted publicly that when it comes to information covered by HIPAA, their business phone systems should not be used for these purposes. 1 Due to the challenges involved in meeting these requirements, many providers have not even attempted it. This means that someone at your organization needs to ask the question, Do our phone, fax, and other communications solutions comply with the latest HIPAA requirements? 4 1 RingCentral S-1 filing, SEC, August 26, 2013, p. 28, found at edgar/data/ / / d310247ds1.htm.

5 If you use a cloud-based service, [its provider] should be your business associate. David Holtzman U.S. Health and Human Services Department s Office for Civil Rights, Privacy Division How far will 8x8 go for your security? Achieving HIPAA compliance takes significant skill, knowledge, experience, resources, equipment and other financial commitments. Many firms just do not have the resources or expertise necessary to attain compliance. For example, HIPAA mandates protection of data. So, to ensure the security of stored data such as voic s, faxes, and call recordings, the 8x8 service is housed in multiple redundant top tier state-ofthe-art, SSAE 16 certified data centers. Each is staffed 24/7 and equipped with high-grade security features, equipment and procedures. Multiple layers of physical security protect against unauthorized access. These layers include mantraps, biometric hand geometry readers, visual confirmation, and 24-hour video surveillance. 8x8 has gained some of the highest possible levels of third-party compliance validations. This investment in our customers protection is part of the reason why 8x8 services can be configured to be HIPAA compliant, with administrative controls and restrictions to protect stored faxes, recordings and voic s. We also offer our customers optional FIPS (Level 2) compliant data-in-motion and data-at-rest encryption. Why choose a compliant cloud-based VoIP solution? You get two major benefits from choosing a cloud-based VoIP solution from a HIPAA HITECH Omnibus-compliant provider with HIPAA-compliant downstream business associates. First, a hosted or cloud-based system is provided over the Internet by a service provider that maintains the solution, so you don t have the overhead of upgrading, managing or maintaining the system. And second, you shift significant aspects of the compliance and security burdens to the provider. Get it in writing With steep fines up to $1.5 million for each egregious violation many businesspeople are left wondering how to make sure their communications provider is HIPAA/HITECH compliant. Whether auditing your existing system or evaluating a new service, you should ask the question: Can your communications provider of business phone service, fax service, call center, web conferencing, etc. offer a HIPAA Business Associate Agreement (BAA) that is compliant with the latest expanded HIPAA HITECH Omnibus regulations? 5

6 BAAs: An important compliance feature Offering an updated business associate agreement means that a phone service provider is willing to stand behind its compliance and say in writing that it has the proper privacy and security controls in place. Don t settle for anything less, experts say. Failure to comply is not an option Choosing a provider that cannot assure that its solution and back-end systems are HIPAA/HITECH compliant and that can t provide you with the correct version of a fully HIPAA compliant BAA can put your business at significant risk of heavy fines from regulators. About the Author Mike McAlpen, CISM, is the Executive Director of Privacy, Security and Compliance at 8x8. Prior to that, he was a Senior Director of Global Information Security at Visa. He also works with the FBI and Department of Homeland Security and the U.S. Secret Service s Cyber Crime Task Force. In addition, he is an active member of the American Bar Association - SciTech Law - InfoSec. and Digital Evidence Committees, as well as the ediscover and Data Governance Committees. A frequent speaker at RSA and other Security Conferences, he serves as a senior member of the board of directors of the International Systems Security Association (ISSA), Silicon Valley, and is a certified member of the ISACA Information Systems Audit and Control Association and a member of the International Communications Fraud Control Association (CFCA). Finally, Mike is a senior member of Secureworld Silicon Valley CISO Advisory Board and an original member of the Cloud Security Alliance (CSA). If you use a cloud-based service, it should be your business associate, says David Holtzman of the US Health and Human Services Department s Office for Civil Rights, Privacy Division. If your business is going to use a vendor that stores PHI on your behalf, you must have a Business Associate Agreement in place. If they refuse to sign, don t use the service. The rigor with which 8x8 has developed the several types of BAAs it offers is an important service feature. These agreements, based on nationally recognized HIPAA legal expertise, cover all aspects of the downstream compliance issues involved with third-party associates. The ability of 8x8 to stand behind these agreements combined with extensive audit trail capabilities within the system means that 8x8 customers get written documentation that their business communications won t jeopardize their own HIPAA compliance efforts. 8x8 cloud-based service doesn t just eliminate the headaches of managing a premises-based phone system. It also addresses HIPAA HITECH Omnibus communications services compliance worries. Peace of mind These features offer the further benefit of ensuring the general security of your business communications, while offering you the peace of mind that the compliance experts at 8x8 will keep their solutions updated with all the latest security capabilities and requirements. 8x8 offers the confidence of knowing that your communications are compliant. It also gives you a great answer to the question, Are our communications HIPAA-compliant? For more information, call or visit NASDAQ: EGHT The 8x8, Inc. logo is a registered trademark of 8x8, Inc. 8x8, Inc. is a publicly traded company. SALES600/0314 The Champion For Business Communications

The Elephant Herd in the Room: Why Other Enterprise VoIP Providers Don t Like to Talk About Compliance, Security and Reliability The Champion For Business Communications Contents New Requirements and Greater

Business Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization

Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,

How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with

FAQ: HIPAA AND CLOUD COMPUTING (v1.0) 7 August 2013 Cloud computing outsourcing core infrastructural computing functions to dedicated providers holds great promise for health care. It can result in more

What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

Last Updated: September 23, 2014 White paper Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the

Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur

Orbograph HIPAA/HITECH Compliance, Resiliency and Security Version 1.0 August 2013 Legal Notice This document is delivered subject to the following conditions and restrictions: The document contains proprietary

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...

HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

How New HIPAA Regulations Impact Recent updates to the Health Insurance Portability & Accountability Act of 1996 (known as HIPAA) have caused major waves throughout the healthcare and medical answering

WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

The Brave New World of Healthcare Correspondence Harnessing the Power of SaaS to Safeguard Patient Data Background The passage of HIPAA in 1996 introduced seismic changes to the way healthcare providers

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing

The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

COMMON HIPAA QUESTIONS 1 As a DevOps platform, we talk to a lot of software engineering teams. Explosive growth in digital health over the last few years means there are many developers and managers who

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel Questions Answers 1 Is a Business Associate (BA) responsible for assuming a Covered

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

FINAL HIPAA HITECH REGULATIONS RELEASED On January 25, 2013, the United States Department of Health and Human Services (HHS) published final regulations implementing changes to the Health Insurance Portability

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

Answering to HIPAA Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM Brought to you by www.duxware.com The Event On February 20, 2014 at 8:00 PM an Internal Medicine specialist received a

HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits

HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Whether you re a healthcare provider, health plan or a non-healthcare business that deals with patients

General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,

Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating

PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare

Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

Upcoming : How Prepared and Confident are Medical Practices and Billing Companies? - Presented by NueMD a complete medical billing and practice management software solution company has partnered with Porter

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business

FAQ on InfoSafe Shredding Services: Frequently Asked Questions on InfoSafe Shredding Information And Video on One Time Cleanouts: Cleanouts and Purges Business Associates under HITECH: A Chain of Trust

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

Can You be HIPAA/HITECH Compliant in the Cloud? Background For the first 10 years of its existence, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a toothless tiger. Although